From 34d8a56b8eb44a42d49fe570cbb15ac18d508f08 Mon Sep 17 00:00:00 2001
From: imterah <me@terah.dev>
Date: Sun, 18 May 2025 21:52:53 -0400
Subject: [PATCH] feature: Add ProtonVPN to prepare for *arr suite

---
 hosts/andromeda/configuration.nix | 22 ++++++++++++++++++++--
 secrets                           |  2 +-
 shell.nix                         |  8 ++++++++
 system/sops.nix                   |  1 +
 4 files changed, 30 insertions(+), 3 deletions(-)
 create mode 100644 shell.nix

diff --git a/hosts/andromeda/configuration.nix b/hosts/andromeda/configuration.nix
index 3a7c041..3594794 100755
--- a/hosts/andromeda/configuration.nix
+++ b/hosts/andromeda/configuration.nix
@@ -73,8 +73,9 @@
 
   virtualisation.oci-containers.backend = "docker";
 
-  # Reverse Proxy setup
+  # VPN setup
   networking.wireguard.interfaces = {
+    # Reverse Proxy
     wg0 = {
       ips = [ "10.10.0.3/24" ];
       privateKeyFile = config.sops.secrets.reverse_proxy_client_privkey.path;
@@ -90,13 +91,30 @@
         persistentKeepalive = 25;
       }];
     };
+
+    # ProtonVPN
+    wg1 = {
+      ips = [ "10.2.0.2/32" ];
+      privateKeyFile = config.sops.secrets.protonvpn_privkey.path;
+      table = "70";
+
+      postSetup = "ip rule add from 10.2.0.2 table 70";
+      preShutdown = "ip rule del from 10.2.0.2 table 70";
+
+      peers = [{
+        publicKey = "OuhID2usMSMoGAiLExUhH0lrOMJQ3v8xFWS+6G3JLRs=";
+        allowedIPs = [ "0.0.0.0/0" ];
+        endpoint = "149.102.227.30:51820";
+        persistentKeepalive = 25;
+      }];
+    };
   };
 
   # Tailscale fixer-uppers
   networking.nat = {
     enable = true;
     enableIPv6 = true;
-    
+
     internalInterfaces = [ "enp6s18" ];
     externalInterface = "wg0";
   };
diff --git a/secrets b/secrets
index 6c64740..14e0ac1 160000
--- a/secrets
+++ b/secrets
@@ -1 +1 @@
-Subproject commit 6c647408e3b8e3a6645d61f32ea12304741fc341
+Subproject commit 14e0ac1a7f2a034c270aa10dbc66179b32fc7a7e
diff --git a/shell.nix b/shell.nix
new file mode 100644
index 0000000..8444f9d
--- /dev/null
+++ b/shell.nix
@@ -0,0 +1,8 @@
+{
+  pkgs ? import <nixpkgs> { },
+}: pkgs.mkShell {
+  buildInputs = with pkgs; [
+    sops
+    compose2nix
+  ];
+}
diff --git a/system/sops.nix b/system/sops.nix
index 7ab3ce8..bf2ba0a 100755
--- a/system/sops.nix
+++ b/system/sops.nix
@@ -22,6 +22,7 @@ in
         neededForUsers = true;
       };
       reverse_proxy_client_privkey = {};
+      protonvpn_privkey = {};
       caddy_docker_env = {};
       tailscale_docker_env = {};
       forgejo_db_docker_env = {};